


o^: 



Increasing the power of the verifier in Quantum Zero Knowledge 

Andre Chailloux* lordanis Kerenidis* 

LRI CNRS - LRI 



Universite Paris Sud Universite Paris-Sud 

i)lri.fr j 

October 27, 2008 



OO ! andre.chailloux@lri.fr ikeren@lri.fr 

o 
o 

(N 



o 

[~^ ' Abstract 

In quantum zero knowledge, the assumption was made that the verifier is only using unitary 
operations. Under this assumption, many nice properties have been shown about quantum 
zero knowledge, including the fact that Honest- Verifier Quantum Statistical Zero Knowledge 
(HVQSZK) is equal to Cheating- Verifier Quantum Statistical Zero Knowledge (QSZK) (see 
g ; |Wat02llWai06] ). 

C^ • In this paper, we study what happens when we allow an honest verifier to flip some coins 

^ I in addition to using unitary operations. Flipping a coin is a non-unitary operation but doesn't 

seem at first to enhance the cheating possibilities of the verifier since a classical honest verifier 
can flip coins. In this setting, we show an unexpected result: any classical Interactive Proof 
CO ■ has an Honest- Verifier Quantum Statistical Zero Knowledge proof with coins. Note that in the 

^ \ classical case, honest verifier SZK is no more powerful than SZK and hence it is not believed to 

1^ ' contain even NP. On the other hand, in the case of cheating verifiers, we show that Quantum 

^— ^ I Statistical Zero Knowledge where the verifier applies any non-unitary operation is equal to 

^+ ■ Quantum Zero-Knowledge where the verifier uses only unitaries. 

One can think of our results in two complementary ways. If we would like to use the honest 
verifier model as a means to study the general model by taking advantage of their equivalence, 
f~~« I then it is imperative to use the unitary definition without coins, since with the general one this 

^D ' equivalence is most probably not true. On the other hand, if we would like to use quantum 

zero knowledge protocols in a cryptographic scenario where the honest-but-curious model is 
, , ■ sufficient, then adding the unitary constraint severely decreases the power of quantum zero 

r> I knowledge protocols. 
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1 Introduction 

Zero knowledge protocols propose an elegant way of doing formally secure identification. In these 
interactive protocols, a prover P knows a secret s and he wants to convince a verifier V that 
he knows s without revealing any information about s. The condition "without revealing any 
information" has been formalized in |GMR89] IGMW91] and this security condition has been defined 
in the computational {CZK) and the information-theoretic setting (SZK). Zero knowledge has 
been extensively studied and found numerous applications in theoretical computer science and 
cryptography (see |Vad99| and references therein). 

In addition, zero knowledge is defined for the case of honest or cheating verifiers. In the honest 
verifier model, we force the protocol to be zero knowledge only against a verifier who follows the 
protocol but tries to extract as much information as possible from the interaction. An honest 
verifier is equivalent to the 'Honest-but-Curious' or 'Semi-Honest' adversary in cryptography. This 
model has been widely studied in cryptography and is important in certain realistic scenarios 
(for example online protocols), where the protocols are used in complex interactions with limited 
capacity of cheating ( [GolOlj . ch. 7). Moreover, in the case of classical zero knowledge it is 
particularly interesting, due to the fact that it is equivalent to the general Zero-Knowledge model 
against cheating verifiers |GSV98| . 

In 2002, Watrous proposed a quantum equivalent of zero knowledge proofs [Wat 02] for the case 
of honest verifiers. In this definition, the prover and the verifier are allowed to use only unitary 
operations and the zero knowledge property is defined in a seemingly weaker way than in the 
classical case (see also Section 2). Watrous proved many interesting results for this class, such as 
complete problems, closure properties and a few years later, that honest verifier equals cheating 
verifier (i.e. HVQSZK = QSZK) |Wat06j . These results provided strong a posteriori evidence 
that Watrous' definition is the right one for quantum Zero Knowledge. 

In this paper, we revisit the definition of quantum zero knowledge and examine the importance 
of the unitarity constraint. First, we increase the power of the honest verifier by allowing him to flip 
classical coins in addition to performing unitary quantum operations. Note that flipping classical 
coins is not a unitary operation and that coin flips are also allowed in the classical case. In this 
new setting, we also strengthen the definition of simulation in order to still catch the essence of 
Zero-Knowledge protocols. In particular, the verifier does not "forget" or "erase" these coins, since 
he remains honest but curious. Even though this augmentation to the model seems minimal if not 
trivial, we prove that any classical interactive proof has a quantum honest-verifier statistical zero- 
knowledge proof (Section [3]) with coins. Note that in the classical case, honest verifier SZK is no 
more powerful than SZK and hence it is not believed to contain even NP. Our proofs go through 
the notion of " hidden-bits" which has been previously studied in |FLSOO| using ideas from [Kil88j . 

If, on the other hand, we look at cheating verifiers, we show that the most general cheating 
strategies for quantum verifiers are the unitary ones. In Section HI we transform any general Zero 
Knowledge protocol into a unitary protocol that retains completeness, soundness and the zero- 
knowledge property. 

We like to see the consequences of our results from two different points of view. On one hand, if 
we want to use the honest verifier model as a means for the study of general zero knowledge, then 
the most important property that we would like is the equivalence of the two models. This way, 
one only needs to prove that a protocol is zero knowledge against honest verifiers and immediately 
conclude that it can also be made zero knowledge against cheating verifiers. Our results show that 
in this case, Watrous' definition with unitaries is indeed the right one, since we give strong evidence 



that this equivalence does not hold in the non-unitary case. Moreoover, we prove that the use of 
non-unitaries does not change the power of a cheating verifier. 

On the other hand, the Honest-but-Curious model (that corresponds to the honest verifier) is 
not only a means for the study of the malicious model (that corresponds to the cheating verifier) 
but an important model in itself pertinent to many realistic cryptographic scenarios. For example, 
in certain settings, we can assume that the verifier is semi- honest when he interacts with the prover 
via a secure interface, eg. an ATM or a secure web interface. In this case, it might suffice to assume 
that the verifier does not open the ATM by force or hack the webpage, instead he can only provide 
well-chosen legal inputs to these machines and try to extract as much information as possible from 
the interaction. 

Organization of our w^ork 

• In Section [2l we first present the class HVQSZK originally defined by Watrous where the 
verifier is allowed to use only unitary operations. We then extend this definition to the case 
where the verifier can use only unitaries and flip some classical coins, resulting in the class 
HVQSZK'-'' . Finally, we introduce the notion of hidden bits defined and used in [FLSOOj 
and [Pas05] . 

• In Section [3l we show the main result of our work: PS PACE C HVQSZK'-' , and discuss 
the applicability of the semi-honest model. 

• In Section |4l we show that in the context of cheating verifiers, allowing the verifier to apply 
non-unitaries is no more powerful than allowing him to use only unitaries. In other words, 
we show that QSZK^ = QSZK. 

2 Definitions of classical and quantum Statistical Zero Knowledge 

An interactive proof system for a problem 11 is an interactive protocol between a computationally 
unbounded prover P and a probabilistic polynomial-time verifier V that satisfies the following two 
properties: 

• Completeness: if x is a YES instance of 11 (x € Hy), then V will accept with probability 
greater than 2/3 after interacting with P on common input x. 

• Soundness: if x is a NO instance of 11 (x € Hjv), then for every (even computationally 
unbounded) prover strategy P* , V will accept with probability less than 1/3 after interacting 
with P* on common input x. 

Definition 2.1 We say that a protocol {P, V) solves H if and only if {P, V) is an interactive proof 
system for 11 . 

In the classical Zero-Knowledge setting, we want the Verifier to learn nothing from the interac- 
tion with the Prover, other than the fact that the input is a Yes instance of the problem (x E Ily) 
when it is the case. The way this is formalized is that for x S Ily, one can simulate in proba- 
bilistic polynomial-time the Verifier's view of the protocol vieiv (^py^ (x) , i.e. his private coins, the 
messages he received from the Prover and the messages he sent to the Prover. Note that the view 
is a distribution depending on the random coins of the Prover and the Verifier and contains all the 
information that the Verifier gains by interacting with the Prover. Specifically, 



Definition 2.2 A protocol {P,V) has the zero-knowledge property for H if there exists a probabilis- 
tic polynomial-time simulator S and a negligible function fi such that for \/x E Ily, the simulator 
outputs a distribution S{x) such that \view(^py^{x) — S{x)\i < ^(|x|). 

In our discussion so far, we have considered the case where the Verifier honestly follows the 
protocol but tries to extract as much information as possible from the interaction with the Prover. 
In order to do that, the Honest Verifier would keep a copy of all the messages and his coins 
throughout the protocol and would not erase or discard any of this information. 

We can now define the class of Honest Verifier Statistical Zero Knowledge {HVSZK): 

Definition 2.3 H G HVSZK iff there exists an interactive protocol (P, V) that solves H and that 
has the zero-knowledge property for H. 

2.1 Honest Verifier Quantum Statistical Zero Knowledge 

Quantum Statistical Zero Knowledge proofs are a special case of Quantum Interactive Proofs. 
They were defined for honest verifiers by Watrous in |Wat02j and have been also studied in 
|Kob03[ IWatOGt IKob07] . We can think of a quantum interactive protocol {P,V){x) for a promise 
problem H as a circuit (Vi(x), i-i(a;), . . . , 14(2;), Pk{x)) acting onV®M.(^'P. V are the Verifier's 
private qubits, M. the message qubits and V the Prover's private qubits. Vi{x) (resp. Pi{x)) rep- 
resents the i action of the Verifier (resp. of the prover) during the protocol and is decribed by 
a super-operator acting on V A^ (resp. on. M. ®V). Pi corresponds to the state in V (8) A^ 'P 
after the i action of the protocol. In other words, /3o is the initial state, /?2i is the state after Pi 
and P2i-i the one after Vi. 

Defining the Zero-Knowledge property in the quantum setting is not straightforward, even for 
the Honest Verifier case. We would still like to say that a quantum protocol has the zero knowledge 
property if there exists an efficient way to simulate the Verifier's view of the protocol. The main 
difficulty, however, is the definition of the view of the Verifier, since in the quantum case there is no 
notion of transcript. Indeed, the Verifier and Prover send the same qubits back and forth during the 
protocol and hence an Honest-but-curious Verifier cannot follow the protocol and simultaneously 
keep a copy of all the quantum messages that have been previously sent. 

Watrous ( |Wat02j ) tried to resolve these problems by defining honest verifier quantum zero 
knowledge in the following way: the view of the Honest Verifier for every round j is the Verifier's 
part of the state Pj, i.e. view(^py^{j) = Tr-p{(3j). We say that the Verifier's view can be simulated 
if there is a negligible function fi such that on any input x and for each step j we can create in 
quantum polynomial-time a state aj such that \\aj — view(^Y^p'^{j)\\ < /i(|x|). 

We also distinguish the Verifier's view depending on whether the last action was made by the 
Verifier or the Prover. We note po the input state, pi the Verifier's view after Pi and ^i the Verifier's 
view after Vi. Note that for a state a with \\a — pi\\ < ^(|2;[) it is easy to see that a' = Vi+i(o") is 
close to ^i+i = V+iiPi) in the sense that \\a' — S,i+i\\ < p{\x\). Hence, we just need to simulate the 
Pi's and hence 

Definition 2.4 A protocol {P, V) has the zero-knowledge property for H if there is a negligible 
function p such that Mx G Yiy Cind Vj we can create ctj with quantum polynomial computational 
power such that \\aj — Pj\\tr < /^(kl)- 



Let us look more closely to the 'round- by-round' definition of the simulation. First, the fact 
that we simulate the verifier's view at every round and not just at the end of the protocol ensures 
that the zero knowledge property is retained even if the Honest Verifier follows the protocol up to 
some round and then decides to abort. 

Second, in order for this definition to be pertinent in the honest but curious model, we need to 
ensure that the verifier will retain all the information that he acquires during the protocol and not 
forget any of it. One way to ensure this is by restricting the verifier to use only unitary operations. 
The intuition is that since unitary operations are reversible, they do not allow for 'forgetting' 
any information. This is precisely the way Watrous defined the class of Honest Verifier Quantum 
Statistical Zero Knowledge (HVQSZK): 

Definition 2.5 H € HVQSZK iff there exists a quantum protocol {P, V) with V using only uni- 
taries that solves H and that has the zero-knowledge property for H. 

The above intuition was later confirmed by the fact that indeed Honest Verifier Quantum 
Statistical Zero Knowledge with unitaries is equivalent to general cheating verifiers ( |Wat06J ). 

2.2 The coin model for Honest Verifier Quantum Zero-Knowledge 

As we said, we would like to investigate the importance of the unitarity constraint in the power of 
quantum zero knowledge. For this, we define and study a new model for quantum zero-knowledge 
protocols, where we just allow the verifier to flip classical coins in addition to performing unitary 
operations. This is equivalent to saying that the verifier starts with a private random string r* or 
in a quantum language that the verifier starts with some private qubits initialized to |0) — acting 
as the verifier usual workspace, and additionally some qubits in the totally mixed state I — acting 
as the verifier's initial coins. The verifier uses his coins (the state I) only as control bits. More 
formally, if we suppose that the verifier starts with the state I ® |0)(0| in the space AiSi B, then he 
can only use the space A by applying unitaries of the form: 

U{\x), \y)) = \x) (g> |y e /(x)) with |x) G A and \y) e B 

Note that this constraint just implies that the verifier doesn't forget his coins. In particular, he 
does not discard these bits by sending them to the prover. 

In this case, of course, one needs to be very careful with the definition of the simulation since 
now, the Verifier has the extra classical information of the coins. Since the interaction is quantum 
we still have to consider a 'round- by-round' simulation. However, in our definition of the 'round- 
by-round' simulation we need to insist that one must simulate the entire private random string of 
the verifier in addition to the quantum view of the Verifier. 

Note that apart from these additional initial coins, the verifier is allowed to use only unitaries 
like in the original definition of HVQSZK. We can now define HVQSZK : 

Definition 2.6 H € HVQSZK iff, there exists a quantum protocol {P,V), where the verifier's 
initial state is (|0)(0|)®" ^In, that solves H and has the zero-knowledge property for H. The verifier 
uses only unitaries and uses his coins (the state In) only as control bits. 

This model is meant to be a very small augmentation of the original model proposed by Watrous. 
Note that the verifier is not able to create by himself the totally mixed state using only unitaries. 



It is important to notice that the requirement "the prover uses the state I„ as control bits" means 
that these coins are always part of his view of the protocol or in other words that he never forgets 
his coins. 

2.3 The hidden-bits model for Statistical Zero-Knowledge 

The hidden-bits model was first defined for Non- Interactive Zero-Knowledge [FLSOOj . however, it 
naturally extends to the interactive case. 

Definition 2.7 We say that the prover has a hidden-bit r with security parameter k iff: 

• r is a truly random bit known to the prover. 

• The verifier has no information about r. 

• The prover can reveal the value of the bit r to the Verifier. If he tries to convince the Verifier 
that the value is r then he will be caught with probability (1 — 2~^). 

Definition 2.8 11 € HVSZK^^ iff there exists a classical protocol {P, V) that solves H and has 
the zero-knowledge property for U where the prover starts with a polynomial number of hidden bits. 

We can also define the associated quantum class 

Definition 2.9 11 € HVQSZK^^ iff there exists a quantum protocol {P, V) that solves U and has 
the zero-knowledge property for H where the prover starts with a polynomial number of hidden bits. 

Note that the existence of hidden-bits is a very strong assumption. In particular, we can remark 
that hidden-bits imply that the prover and verifier can perform bit commitment with perfect hiding 
and statistically binding conditions. Bit commitment is a primitive used in many cryptographic 
protocols. More formally: 

Definition 2.10 A bit commitnnent scheme with perfect hiding condition and statistically binding 
condition with security parameter k is a scheme with a commit phase and a reveal phase such that: 

• Commit phase: the prover chooses a bit c and commits to it by interacting with the verifier. 
At the end of the interaction, the verifier has no information about c (perfectly hiding). 

• Reveal phase: the prover sends a message to the verifier and reveals the commited bit c. If 
the prover tries to cheat and reveal c then he will be caught by the verifier with probability 
greater than (1 — 2"*^) (statistically binding). 

Note that both classically and quantumly, bit commitment schemes with A; > 1 do not exist 
unconditionally |LC971 May97| . However, there is an easy way to do bit commitment which is 



perfectly hiding and statistically binding with security parameter k from a hidden bit r with 
security parameter k. The prover commits to a bit c by sending c(Br and later reveals r. After the 
commit phase the verifier has no information about r (and hence c) and during the reveal phase the 
prover cannot lie about r (and hence c) without being caught with probability at least (1 — 2~ ). 
Hence, this scheme is a commitment scheme which is perfectly hiding and statistically binding with 
security parameter k. 

Classically, if we suppose the existence of such a bit commitment scheme, we can create zero- 
knowledge protocols for all interactive proofs |BGG^90 and since Shamir showed that IP = 
PS PACE |Sha92j . we have 

PS PACE = IPC HVSZK^^ 



3 The role of coins in Quantum Statistical Zero-Knowledge 

In this section we start by discussing how coins have already been used in quantum zero-knowledge 
protocols even with the original definition of HVQSZK with unitaries. We then proceed to prove 
our main result, that HVSZK^^ C HVQSZK^ which implies that PSPACE C HVQSZK'^'. 
Since QMA C PSPACE we can already conclude that QMA has an HVQSZK protocol with 
coins. In Appendix [A] we explicitly describe a protocol for a QMA complete problem that has 
constant rounds and relies in fact only on the ability to do bit commitment. 

3.1 Using coins in quantum zero-knowledge protocols 

Flipping a coin is a quantum non-unitary operation and therefore it should not be a priori allowed 
in Quantum Zero-Knowledge protocols. More precisely, a unitary quantum circuit cannot create 
the totally mixed state X^reio i| k)('"l' rather it can create the superposition of all the values of the 
coin as X^relo 1} I'")- Note that by using this state, the verifier can still run a protocol where he is 
supposed to flip coins. The only difference is that his private qubits have changed and, therefore, 
the Zero-Knowledge property is not necessarily retained. 

Coin flips have already been used in quantum Zero-Knowledge, for example in the QSD,ih.e 
3-Coloring or the Graph Isomorphism protocol described in |Wat02|, IWat06| . In these protocols, it 
was implied that by using only unitaries, we could create quantum states such that the protocol 
would work in exactly the same way as with the coin flips. This is indeed the case for these three 
protocols and more generally in the following situations: 

• The coins are made public: in this case, the verifier creates X^rejo i| V)V) ^"^^ sends half of 
this state to the prover. The prover and the verifier both have Xlreio i| k)(''l which is the 
desired state. This is what happens for example in the 3-coloring protocol in QZK or in the 
Graph isomorphism protocol. Note that for the 3-coloring protocol it would not be possible 
to do the simulation if the coins were in superposition. 

• The coins are not necessary for the Zero-Knowledge property: in some protocols the Zero- 
Knowledge property does not depend on whether the verifier creates his coins in superposition 
or flips classical coins. This is what happens in the QSD protocol. 

However, we will show that the situation is much more subtle than first thought. If the honest 
verifier is allowed coin flips, then we can show how to create hidden-bits and hence prove that 
HVQSZK"^ C HVQSZK^. This allows us to conclude that PSPACE C HVQSZK^. This 
is a striking result that comes in contrast to the classical and the quantum unitary honest verifier 
HVSZK and HVQSZK, since these classes are not known nor believed to contain even A^iil|. 
The next section will be devoted to the proof of this fact. 

3.2 From coins to Hidden Bits 

We will first present a general method to create hidden-bits out of shares. We will then show a 
way to achieve these shares with a quantum honest verifier that has coins. 



^In the classical case, NP C HVSZK implies that the polynomial hierarchy collapses [BHZ87) but no such results 
are known for the quantum case 



3.2.1 A general method for creating hidden-bits 

The method described here is the one used in |Pas05| to create hidden bits from secret help, which 
in turn uses ideas from [Kil88j in order to do Oblivious Transfer. For clarity of exposition, we 
show how to hide a single bit, but the construction naturally generalizes to n bits by repeating in 
parallel. 

Proposition 3.1 Let three random bits {s^,s^,b) be such that: the prover knows s^ and s^ and 
has no information about b; the verifier knows b and the associated bit s^ but has no information 
about s . Then we can create a hidden bit r with security parameter k = 1. 

Proof: From these bits, the associated hidden bit will be r = s'^ © s^ and s^,s^ will be called 
the shares of r. The way the prover will reveal r is by sending these two shares to the verifier who 
checks that they correspond with the one share he has. We now show that r is a hidden bit with 
security parameter 1: 

• Since s^ and s^ are random and known to the prover, then so is r. 

• Since the verifier knows s'' but has no information about s^, he has no information about r. 

• If the prover tries to lie about r then he has to fiip exaclty one of the two shares. He will get 
caught if he flips s^ and will not get caught if he flips s*. Since he has no information about 
b, he will be caught cheating with probability 1/2. 



Note that if we have for each hidden bit r, k independent random couples of shares (s^, sj.) such 





that s^Q si = r then similarly, we can suppose that r is a hidden-bit with security parameter k. 



3.2.2 A quantum way of achieving Hidden Bits 

From the coins of the verifler, we now show how to create the shares described in the previous part. 
As before, we describe the construction of one hidden-bit which easily generalizes to n bits. We use 
three qubits of the verifler's initial totally mixed state (three coins) as Ylb s'' celo ij 1^' *^' '^)(^' *^' '^l- 
As in the previous part, the bit b corresponds to which share the Verifier has and s^ corresponds 
to the value of that share. The bit c corresponds to the value of the other share in the Hadamard 
basis, i.e. we define |c^) = -7=(|0)-|-(— l)*^!!)). The verifier performs the unitary Ui^gb^^ that depends 

on (6, s^, c) and sends the outcome to the Prover. 

f^o,.^c:|0)|0)-|s^)|c><) and C/i,.v : |0>|0) - |c><)|5^) 

The prover has two qubits which he measures in the computational basis and the outcomes of 
this measurement will correspond to the two shares. One of this measurements will give s and the 
other one will give a random bit s . The hidden bit r is equal to s (B s . 

Lemma 3.2 The above construction results in a hidden bit r with security parameter 1. 



Proof: 



The bit r = s^ (B s is random since the verifier picks s at random and the outcome of the 
measurement of |c^) in the computational basis is also random (hence s^ is random). Since 
the prover knows the two shares he knows r. 

The verifier knows a share s which is random since b is random. He has no information 
about the share s^ since the outcome of the Prover's measurement of |c^) is independent of 
the Verifier's coins. Hence he has no information about r. 

b is unknown to the prover: to show this, let pb be the state of the prover conditioned on the 
verifier's coin b 



Po 



wp. 1/4 |0,+) 

wp. 1/4 |0, -) 

wp. 1/4 |1,+) 

wp. 1/4 |1,-) 



and pi = < 



wp. 1/4 ! + ,0) 

wp. 1/4 | + , 1) 

wp. 1/4 I-,0) 

, wp. 1/4 |-,1) 



We can easily see that po = Pi hence the prover has no information about b. Moreover, since 
Po = Pi = I) the prover's state is equivalent to a mixture of classical pairs of shares. Since he 
has no information about b, the prover cannot cheat for any of those classical pairs of shares 
with probability striclty greater than 1/2. 



We can easily extend the above construction to a hidden-bit with security parameter k for 
any polynomial k (by creating k independent pairs of shares for this hidden-bit) and also to n 
hidden-bits with security parameter k by just repeating this process n times. 

Note also that the unitary used by the verifier uses his coins only as control bits. Therefore, 
we can use this construction to create hidden bits in a way which is consistent with our enhanced 
notion of simulation and show that HVSZK C HVQSZK . Let us prove this fact formally: 

Proposition 3.3 HVSZK^^ C HVQSZK'^ 

Proof: 

Let n a problem in HVSZK^^ and {P, V) a classical zero-knowledge protocol with hidden-bits 
that solves H. We create the following quantum protocol {P' , V') where the verifier starts with the 
state : (!0)(0|)®"' (8) In (acting as his workspace and coins). 

• The verifier V' views his coins as the coins of the original verifier V and the coins needed in 
order to create hidden bits. 

• In the beginning of the protocol the verifier uses our construction and creates hidden bits 
with security parameter k. 

• Then, the prover and verifier both follow the original classical protocol {P, V). Note that this 
is possible since any classical circuit C can be transformed into a quantum unitary circuit Uc 
such that Uci\x,0)) = \x,C{x)). 



Note that since V uses his coins as the private randomness of V, he can perform the classical 
protocol {P, V) using unitaries. 

We now prove that {P',V') is a Zero-Knowledge protocol that solves 11. Completeness is 
straightforward from the completeness of the original protocol and the fact that in our construction 
the prover can always reveal the correct hidden bits. Concerning soundness: 

1. If the prover reveals all the hidden-bits correctly, the soundness of {P' , V) is the same as the 
soundness of {P, V) . 

2. If the prover lies on at least one of the hidden-bits he reveals, then the soundness of {P' , V) 
will be smaller than 2~ since the hidden-bits created have security parameter k. 

To show the zero-knowledge property, we use the fact that we can already simulate the verifier's 
view in the protocol {P,V). This includes the private coins of V, the messages and in particular, 
all the hidden-bits rj revealed by the prover. 

In order to simulate the verifier's view in the new protocol {P, V) we have to additionally 
simulate the following: 

• all the coins that the verifier V' used in order to create hidden bits. 

• The k pairs of shares (s?, sj)j,j G [k] for every revealed hidden bit r^. 

First, the simulator just flips some coins in order to simulate all the random bits the verifier 
uses to construct the hidden bits. In particular, for every revealed hidden bit r^, the simulator has 
the corresponding bits (6j, s^, Ci)j,j £ [k]. From these bits and the value of rj (which we know from 
the original simulation), we can now create all the couples of shares {s^,sj)j. This allows us to 
simulate the view of the verifier in the protocol {P' , V). M 



Theorem 3.4 PSPACE C HVQSZK 



c 



Proof: From Section O we know that: PSPACE C HVSZK^^. We now use the fact that 
HVSZK^^ C HVQSZK^ and conclude. ■ 

One might think that this surprising result comes from the fact that the round-by-round simu- 
lation is too weak in our setting and that a satisfactory zero-knowledge property is not achieved. In 
fact, if we assume that the verifier follows the protocol, then our notion of simulation is as strong as 
in the unitary case. The only extra information that the verifier has in our protocols is the initial 
random string which we always simulate at every round. 

3.3 Forcing the honest behaviour of the verifier 

From a cryptographic point of view, the important question is when we can actually assume that 
the verifier behaves in an honest way during a protocol. Watrous' result that QSZK = HVQSZK 
shows that if the protocol only asks the verifier to perform unitary operations, then we can actually 
force the verifier to behave honestly. Our result shows that this is probably very difficult to achieve 
unconditionally when the protocol asks the verifier to additionally flip coins, since in that case 
IP C QSZK. Note that this is a striking difference with the classical case where the verifier can 
perform any classical operation (including coin flips). 



However, in certain realistic settings, we can assume that the verifier is semi-honest, for example 
when he interacts with the prover via a secure interface like an ATM or a secure web page. We 
are going to define a classical and a quantum model for this type of interaction in the following 
way. In the classical model, the prover and the verifier interact via a deterministic machine whose 
behaviour is known both to the prover and the verifier. The verifier interacts with the prover by 
providing a classical input to the machine which after performing some computation on this input, 
sends a message to the prover. On the other hand, the machine transmits the messages of the 
prover to the verifier unchanged. It is easy to see, that the languages that have a statistical zero 
knowledge protocol in this model are exactly the ones in the class of Honest Verifier Statistical 
Zero Knowledge {HVSZK), since an honest verifier can always act as the deterministic machine 
and vice versa. Since HVSZK = SZK, we conclude that this type of interface does not increase 
the possibility to do zero-knowledge protocols. 

We can define a quantum analog of this model in the following way. The prover and the verifier 
interact via a deterministic machine whose behaviour is known both to the prover and the verifier. 
The verifier interacts with the prover by providing a classical input to the machine which after 
performing some computation on this input, creates a pure quantum state and shares it between 
the prover and verifier. On the other hand, the machine transmits the messages of the prover, which 
could be mixed quantum states, to the verifier unchanged. First, we can see that this model contains 
the class of Honest Verifier Quantum Statistical Zero Knowledge even when we allow the verifier to 
flip coins, since for any protocol there exists a machine that takes as input the private coins of the 
verifier and performs the same unitary operations as the verifier. Hence, unlike the classical case 
where this semi-honest model is no more powerful than SZK, in the quantum semi-honest case, 
we have zero- knowledge protocols for any problem in P SPACE (Section [3]). 

Let us also note, that if we allow the verifier to provide quantum input to the machine, then 
the above model is exactly the class QSZK. It would be very interesting to see what are the most 
general zero knowledge protocols for which we can force a quantum verifier to behave honestly. 

4 Non-unitaries and cheating verifiers 

4.1 Definitions 

The goal of this section is to describe Watrous' definition of Quantum Statistical Zero Knowledge 
{QSZK) for cheating verifiers. Consider a quantum zero-knowledge protocol between a prover P 
and a verifier V where the verifier starts with an auxiliary input w. Additionally, the prover and 
verifier have as common input the input of the promise problem which is a classical string. All the 
operations described hereafter will depend on this input and this dependence will be omitted. 
We will use the following Hilbert spaces for our analysis. 

• V the space of the prover. 

• M. the space where the prover and verifier store the messages they send. 

• V the verifier's workspace initialized to |0). 

• W the verifier's space where the auxiliary input is initially stored. 

Let (P, y) = (Pi, Vi, . . . , Pn, Vn). Each Pi acts on V®M and each Vi acts on M^V^W. We can 
tensor these operations with the identity and suppose that they all act on the space: V®M®V®W . 
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We can therefore see the whole protocol as a big operation O acting on V <^ A4 <SiV ^ W. More 
formally: 

Definition 4.1 For any protocol {Pi, Vi, ... ,Pn,Vn) where each Vi and Pi actsonV<^M<^V<^W 
(in fact by tensoring the Vi 's and Pi 's with the identity) we denote by Opy the following admissible 
mapping: 

Opy : C{W) ^ C{V®M®V®W) 

■.W ^Vn{Pn{-..{Vl{Pl{ [0) ®^m 

where C{X, y) is the set of linear operators from X to 3^, and C{X) = C{X, X). In particular, any 
mixed state in X can be represented as an element of C{X). 

The zero-knowledge property concerns only what the verifier has at the end of the protocol. 
Without loss of generality, we can suppose that M is empty since a cheating verifier can always 
move the information from Al to V at the end of the protocol. Hence, we will be interested in: 

Ov :C{W) ^C{V(^W) 

:w -^ Trp^M \ Vn{Pn{- ■ ■ {Vi{Pi{ |0) 0^))))) 

which for short we will also denote as Oy = Tr-pt^j^Opy. More generally, for any super-operator 
X that outputs in A®B, we denote Trj\^X the super-operator such that {Tr_A^X){p) = Tr_^{X{p)). 
We say that Oy is the mapping that corresponds to the verifier's view of the protocol. We want to 
be able to simulate this mapping i.e. be able to create in quantum polynomial time a mapping S 
which will act like Oy and this for every auxiliary input w. We can now define QSZK: 

Definition 4.2 We say that H G QSZK if there is a protocol {P, V) = {Pi, Vi, . . . , Pn, Vn) such 
that: 

• Completeness: Mx G Ily, the verifier accepts with probability greater than 2/3. 

• Soundness: Vx € IIjv, and for all prover's strategies P* , the verifier accepts with probability 
smaller than 1/3. 

• Zero-knowledge: for any cheating verifier V* (where Oy* is the mapping associated to {P, V*)), 
there is a function fi and a mapping S : £(W) -^ C{V0W) that can be computed in quantum 
polynomial time such that Vx G Ily, we have 

||0y. -S[|o<^(Ix|). 

where for any super-operator $, \\^\\o = sup{\\^ ^ Ic{Z)\\tr, ^ is a complex Euclidean space} 
(see |KSV02| for more details on this diamond norm). 

Note that if S uses V* only as a black box, then we can change the order of quantifiers and 
have a single mapping T, for all possible V* . 

In the definition of QSZK, the verifier and the prover can use any physically admissible op- 
eration. We will show that in fact, if the zero-knowledge property holds against cheating verifiers 
that only use unitaries then it also holds for cheating verifiers that use any physically admissible 
operation. In other words, cheating strategies with unitary operations are the most general ones. 
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Definition 4.3 We say that U G QSZK^ if there is a protocol {P, V) = (Pi, Vi, . . . , P„, Vn) such 
that: 

• Completeness: \tx G Ily, the verifier accepts with probability greater than 2/3. 

• Soundness: Vx G Hat, and for all prover's strategies P* , the verifier accepts with probability 
smaller than 1/3. 

• Zero-knowledge: for any cheating verifier V* that uses unitaries (where Oy* is the mapping 
associated to {P, V*)), there is a function ji and a mapping S : CiW) -^ £.{V (8) W) that can 
be computed in quantum polynomial time such that \/x G Ily, we have 

\\ov*-n\o<K\x\). 

4.2 Unitary cheating verifiers are as powerful as general cheating verifiers 

In this section, we show that in the case of cheating verifiers, coin flips — and more generally any 
non-unitary operations — do not add anything to the power of quantum Zero-Knowledge. In other 
words, we show that 

Proposition 4.4 QSZK = QSZK^ 

Proof: We have by definition that QSZK C QSZK . We show now the other inclusion. The 
main idea is to say that each time the verifier uses a non-unitary, he can use a larger unitary 
which will act as a purification of this non-unitary which will only give him more information. 
More formally, we use the following fact that is a direct corollary of the purification lemma, (see 
[NCOO] ). 

Lemma 4.5 Let C a quantum, non-unitary circuit acting on a space A. There is a space B of same 
dimension as A and a unitary circuit C acting on A®B such that TrtsC = C. 

Now consider a protocol {P-,V) = (Pi, Vi, . . . , P„, y„) which has the zero-knowledge property 
for any unitary cheating verifier V. Consider a cheating verifier V* , the protocol {P,V*) = 
(Pi, F]*, . . . , Pn, V*) and its associated mapping Oy from C{W) to C{V (E) W). Recah that: 

Ov* = Trv^M (P„ o y; o . . . o Pi o V^) 

Consider now n additional Hilbert spaces Ai through An and admissible mappings V* such that 

Vi Trj,X* = V* 

The spaces Ai are Hilbert spaces that the verifier possesses. Let us look at the protocol (P, V*) = 
(Pi, Vi , . . . ^Pn-,V*) and Oy^ the associated mapping for the verifier. This mapping is a mapping 
from C{W) to C{Ai ® ■ ■ ■ ® A-n <8> V W). We know that there is a mapping S computable in 
quantum polynomial time such that ||0^, — S||o < /u([a;|). 

By construction, we know that Oy* = Tr_4j0...0_4^Oy,. Consider S' = rr_4^0...0_4^S, we can 
easily conclude that 

\\0v* - S'llo < lJ'{\x\) 

and that S' is quantum polynomial time computable which concludes our proof. H 
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5 Conclusion and further work 

We showed that the unitarity restriction in quantum Zero Knowledge is not inconsequential. In the 
case of Honest- Verifier, we showed that allowing the verifier to flip coins is sufficient to construct 
quantum Statistical Zero Knowledge protocols for any Interactive Proof. This is the first time that 
Statistical Zero Knowledge was achieved for such a large class unconditionally, even in the case of 
honest verifier. We believe that it is a strong witness of the fact that HVQSZK ^ HVQSZK 
and therefore that coin flips increase substantially the power of Honest- Verifier Quantum Zero 
Knowledge. We also showed that this difference does not hold when dealing with cheating verifiers. 

A first question concerning our result is whether it is possible to use it in realistic zero-knowledge 
protocols. While it seems improbable that our protocols can be transformed unconditionally into 
a protocol secure against cheating verifiers, this may be done using a 3rd party or computational 
assumptions. As future work, it would be interesting to develop a more realistic model for a 
quantum semi-honest adversary. 

Moreover, protocols which satisfy some weaker zero-knowledge properties are used in other 
cryptographic applications and it is also interesting to consider what can be done in the quantum 
setting. Finally, the main question that remains open is whether it is in fact possible to achieve 
cheating-verifier quantum Statistical Zero Knowledge for some classical language not in SZK or 
BQP. 
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A Solving a QM74-coniplete problem in HVQSZK^ 

We show here how a QAf^-complete problem can be solved using a protocol with Hidden-Bits. 
Note that we already know that all of QMA can be done using hidden-bits. However, the protocol 
we will show has constant rounds and relies in fact only on the ability to do bit commitment. We 
transform a QMA protocol for the QM A-complete problem LCDM defined by Liu |Liu06j into a 
Zero Knowledge one. 
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Local Consistency of Density Matrices (LCDM) 

Input : a number n, a set L C {1, . . . ,n} x {1, . . . ,n} and matrices Mij of size 4x4 for all 

{i,j) G L. These matrices have t = poly{n) bits of precision. 

Promise 

Yes instance : There exists a quantum pure state {(p) such that y{i,j) G L, the reduced density 
matrix of \(f>) on the pair of qubits {i,j) is equal to Mij. 

No instance : For any quantum pure state \4>), there is a couple (i, j) € L, such that the reduced 
density matrix of |0) on the pair of qubits {i,j) has trace distance greater than 1/t from Mjj. 

QMA protocol for LCDM: Let x an instance of LCDM. The verifier receives a state {wi , ■ ■ ■ , wk) 
that corresponds (if x £ LCDMy) to K copies of a witness of x. He then picks {h, ■ ■ ■ ,1k) G L 
at random. For every witness Wi he traces out all but the qubits in /j and hence has tt;/ = 
^''{i,...,n}x{i,...,n}-ii^j- He then applies an accepting procedure A{w-^ , . . . ,w^). 

Liu showed the following: 

Proposition A.l There exists K G poly{n) and an accepting procedure A for the verifier such 
that the above procedure has completeness 1 — 2""^ and soundness 2~". 

In particular this shows that if x G LCDMf^ the prover cannot cheat, even by sending an entangled 
state. We describe now a quantum statistical zero-knowledge protocol that will solve LCDM using 
hidden-bits. 



Protocol in HVQSZK^^ for the LCDM problem 
Input: An instance H of the LCDM problem 

DO K times in parallel : 

HB : Use as a random string r = (ri, Si,r2, 52, • • • ifn-, Sn) 
P : Let \w) be the witness in 11. Send Ur\u!) to the Verifier. 

V : Pick I = (x, y) G_r L and send / to the prover. 
P : Reveal {rx,Sx) and {ry,Sy) to the verifier. 

V : Apply (A''^Z*^)''" (resp. {X^y Z-'^y)'^) to the x*^ (resp. y*^) qubit; trace out the others. 
END 

Let z^, . . . , z the density matrices of the qubits the Verifier kept in each repetition 

V : Compute A{z^, . . . 



z^) 



Let r = (ri, si, . . . , r„, s„) a 2n-bit string and Ur a unitary that acts independently on n qubits 
such that Ur = X'^^Z^^ (8) ... X'^'"Z^", where X, Z are the bit- and phase- flip operators. Ur per- 
forms a perfect encryption of an n-qubit state, i.e for any n-qubit state p we have ^ ^^ UrpUl = I. 

Completeness and soundness For the K parallel repetition, the prover chooses K witnesses 
wi, . . . ,wk similarly than in the QM^-protocol for 11 and the verifier's states at the end are 
z^, . . . , z^ . Since the prover cannot lie on his hidden-bits and the verifier chooses the Vs at random, 
the verifier has at the end exactly w-^ , ■ ■ ■ , w^ with the Ik chosen at random. Completeness and 
soundness follows from Liu's analysis. 
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Zero Knowledge We need to simulate the Verifier's view after the Prover's first message (pi) 
and after the second message {p2)- The state pi consists of the message sent by the prover. From 
the analysis of U, we know that the verifier's view of this state is the totally mixed state. This 
is because he has no information about the hidden bits r. Therefore, pi = I and can be easily 
simulated. 

The state p2 is trickier. The verifier has a state p that is the totally mixed state, a random 
/ = {i,j) € L and bits (r^, Si, rj, Sj) such that he can decode the qubits {i,j) of p and transform his 
state into one which is totally mixed except on the qubits {i,j), where the density matrix is Mij. 

We simulate this as follows: we pick / €r L and some state |a;), such that the reduced density 
matrix on the qubits in / = {i,j) is Mij. Then we pick a random string r = (ri, si, . . . , r„, s„) and 
apply Ur to the state \a). More precisely, we first create the quantum state ^; ^ \l)\r)\l)Ur{\ai))\ri, Si, rj, Sj) 
and then trace out the first two registers. The resulting state simulates the view of the Verifier 
after the Prover's second message. We conclude that this problem is in HVQSZK and hence 
in HVQSZK^. 

Note that the LCDM problem is QMA-complete via randomized Turing reductions and hence 
this protocol cannot be used for all languages in QMA. Showing that LCDM is QMA-complete 
via mapping reductions is still an open problem. 
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